+++ This bug was initially created as a clone of Bug #207002 +++ Problem separated as according to Roland McGrath it is a different one than in the reopened Bug #207002 Comment 0. Description of problem: -- Additional comment from adobriyan on 2007-05-29 03:55 EST -- We saw the following oops on rhel5 utrace code BUG: unable to handle kernel paging request at virtual address 7ca1c291 EIP is at utrace_get_signal+0x46/0x477 get_signal_to_deliver+0xdf/0x3b1 do_notify_resume+0xa9/0x6a5 audit_syscall_exit+0x285/0x2a1 work_notifysig+0x13/0x19 copy_to_user_policy+0x73/0x7f The failing IP corresponds to code in utrace_get_signal(): int utrace_get_signal(struct task_struct *tsk, struct pt_regs *regs, siginfo_t *info, struct k_sigaction *return_ka) { struct utrace *utrace = tsk->utrace; ... if (utrace->u.live.signal != NULL) { signal.signr = utrace->u.live.signal->signr; copy_siginfo(info, utrace->u.live.signal->info); ^^^^^^^^^^^^^^^^^^^^^^^^^^^ Bogus pointer was supplied here. How ->utrace assignment should be handled correctly? --------------------------------------------------------------------- On (2 CPUs; qemu-kvm) kernel-2.6.23-0.211.rc8.git2.fc8.x86_64 seen: ------------[ cut here ]------------ kernel BUG at kernel/utrace.c:328! invalid opcode: 0000 [1] SMP CPU 0 Modules linked in: snd_hda_intel snd_usb_audio snd_seq_dummy snd_seq_oss snd_seq_midi_event snd_seq snd_pcm_oss snd_mixer_oss snd_pcm snd_timer snd_page_alloc snd_usb_lib snd_rawmidi snd_seq_device snd_hwdep snd soundcore nfs nfsd exportfs lockd nfs_acl auth_rpcgss sunrpc ipv6 dm_mirror dm_mod video output sbs button battery ac floppy 8139too parport_pc 8139cp parport mii sr_mod cdrom sg ata_piix ahci libata sd_mod scsi_mod ext3 jbd mbcache uhci_hcd ohci_hcd ehci_hcd Pid: 22164, comm: clone-get-signa Not tainted 2.6.23-0.211.rc8.git2.fc8 #1 RIP: 0010:[<ffffffff8107570f>] [<ffffffff8107570f>] check_dead_utrace+0xfb/0x166 RSP: 0018:ffff810006517e58 EFLAGS: 00010246 RAX: 0000000000000000 RBX: 000000000007e569 RCX: 0000000000000000 RDX: 0000000000000008 RSI: ffff81000556f240 RDI: ffff81000570a000 RBP: ffff81000570a000 R08: 00000000000001e1 R09: 0000000000000000 R10: ffffffff8107503b R11: 0000000000000212 R12: 0000000000000000 R13: ffff81000556f240 R14: 0000000000000000 R15: 0000000000000000 FS: 00002aaaaaac26f0(0000) GS:ffffffff813d7000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 000000008005003b CR2: 000000304b550904 CR3: 0000000009bba000 CR4: 00000000000006e0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400 Process clone-get-signa (pid: 22164, threadinfo ffff810006516000, task ffff81000654a000) Stack: 000000000007e569 ffff81000570a000 0000000000000000 000000000007e569 ffff81000570a000 ffffffff81075eef 0000000000000018 000000000007e569 ffff81000556f240 ffff81000570a000 ffff8100050b9480 ffffffff81076069 Call Trace: [<ffffffff81075eef>] wake_quiescent+0x57/0x12e [<ffffffff81076069>] utrace_detach+0xa3/0xba [<ffffffff81077d2a>] ptrace_detach+0x6e/0x10b [<ffffffff810782fc>] ptrace_common+0x98/0x184 [<ffffffff81078d68>] sys_ptrace+0xf0/0x1ed [<ffffffff8100bd2a>] tracesys+0x71/0xda [<ffffffff8100bd8e>] tracesys+0xd5/0xda Code: 0f 0b eb fe 4c 89 ef e8 58 fd ff ff 49 83 fe 10 75 3a 8b b5 RIP [<ffffffff8107570f>] check_dead_utrace+0xfb/0x166 RSP <ffff810006517e58> BUG: spinlock lockup on CPU#0, clone-get-signa/22164, ffff81000556f260 [Tainted: G D] Call Trace: [<ffffffff8112e6d0>] _raw_spin_lock+0xd7/0xfe [<ffffffff81269850>] _spin_lock+0x47/0x52 [<ffffffff8107503b>] get_utrace_lock_attached+0x34/0x61 [<ffffffff81075fdb>] utrace_detach+0x15/0xba [<ffffffff81078be9>] ptrace_exit+0x69/0xf8 [<ffffffff8103b051>] do_exit+0x151/0x8d2 [<ffffffff8100d42d>] kernel_math_error+0x0/0x71 [<ffffffff8100d87a>] do_invalid_op+0x8a/0x94 [<ffffffff8107570f>] check_dead_utrace+0xfb/0x166 [<ffffffff81032747>] sched_balance_self+0x153/0x2a5 [<ffffffff810542cb>] mark_held_locks+0x49/0x67 [<ffffffff812692eb>] trace_hardirqs_on_thunk+0x35/0x37 [<ffffffff8126a1ad>] error_exit+0x0/0x96 [<ffffffff8107503b>] get_utrace_lock_attached+0x34/0x61 [<ffffffff8107570f>] check_dead_utrace+0xfb/0x166 [<ffffffff81075eef>] wake_quiescent+0x57/0x12e [<ffffffff81076069>] utrace_detach+0xa3/0xba [<ffffffff81077d2a>] ptrace_detach+0x6e/0x10b [<ffffffff810782fc>] ptrace_common+0x98/0x184 [<ffffffff81078d68>] sys_ptrace+0xf0/0x1ed [<ffffffff8100bd2a>] tracesys+0x71/0xda [<ffffffff8100bd8e>] tracesys+0xd5/0xda BUG: spinlock lockup on CPU#1, clone-get-signa/22165, ffff81000556f260 [Tainted: G D] Call Trace: [<ffffffff8112e6d0>] _raw_spin_lock+0xd7/0xfe [<ffffffff81269850>] _spin_lock+0x47/0x52 [<ffffffff81075c2a>] utrace_quiescent+0x148/0x21b [<ffffffff81076b07>] utrace_get_signal+0x4b1/0x514 [<ffffffff810428ee>] get_signal_to_deliver+0x5a/0x3fb [<ffffffff810429ba>] get_signal_to_deliver+0x126/0x3fb [<ffffffff8100b0e9>] do_notify_resume+0xa8/0x733 [<ffffffff81269c50>] _spin_unlock_irqrestore+0x3e/0x44 [<ffffffff8102e08e>] update_curr+0xf8/0x11a [<ffffffff81052542>] lock_release_holdtime+0x27/0x48 [<ffffffff810544bd>] trace_hardirqs_on+0x12e/0x151 [<ffffffff81269be8>] _spin_unlock_irq+0x24/0x27 [<ffffffff8100be3c>] int_signal+0x12/0x17 --------------------------------------------------------------------- Version-Release number of selected component (if applicable): kernel-2.6.23-0.211.rc8.git2.fc8.x86_64 How reproducible: After 1662 runs of the testcase; testcase has 2000 internal loops => => approx. 3324000th cycle. Steps to Reproduce: 1. gcc -o ./clone-get-signal ./clone-get-signal.c -Wall -ggdb2 2. while ./clone-get-signal ;do echo -n .;done Actual results: Kernel crash. Expected results: No kernel crash, just infinite dotting.
Created attachment 211681 [details] Testcase, a modified one from adobriyan-at-sw.ru.
Confirmed as still broken on: kernel-2.6.23-0.214.rc8.git2.fc8.x86_64 (x86_64 qemu-kvm -smp 2) After 81 testcase runs (81*2000 cycles). ------------[ cut here ]------------ kernel BUG at kernel/utrace.c:328! invalid opcode: 0000 [1] SMP CPU 1 Modules linked in: snd_hda_intel snd_usb_audio snd_seq_dummy snd_seq_oss snd_seq_midi_event snd_seq snd_pcm_oss snd_mixer_oss snd_pcm snd_timer snd_page_alloc snd_usb_lib snd_rawmidi snd_seq_device snd_hwdep snd soundcore nfs nfsd exportfs lockd nfs_acl auth_rpcgss sunrpc ipv6 dm_mirror dm_mod video output sbs button battery ac floppy parport_pc parport 8139too 8139cp mii sr_mod cdrom sg ata_piix ahci libata sd_mod scsi_mod ext3 jbd mbcache uhci_hcd ohci_hcd ehci_hcd Pid: 14810, comm: clone-get-signa Not tainted 2.6.23-0.214.rc8.git2.fc8 #1 RIP: 0010:[<ffffffff8107570f>] [<ffffffff8107570f>] check_dead_utrace+0xfb/0x166 RSP: 0018:ffff8100082e9e58 EFLAGS: 00010246 RAX: 0000000000000000 RBX: 000000000007e569 RCX: 0000000000000000 RDX: 0000000000000008 RSI: ffff81000849c900 RDI: ffff810008aba000 RBP: ffff810008aba000 R08: 00000000000001e0 R09: 0000000000000000 R10: ffffffff8107503b R11: 0000000000000212 R12: 0000000000000000 R13: ffff81000849c900 R14: 0000000000000000 R15: 0000000000000000 FS: 00002aaaaaac26f0(0000) GS:ffff81000fcc04b0(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 000000008005003b CR2: 000000304b550904 CR3: 0000000008b7f000 CR4: 00000000000006e0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400 Process clone-get-signa (pid: 14810, threadinfo ffff8100082e8000, task ffff810008734000) Stack: 000000000007e569 ffff810008aba000 0000000000000000 000000000007e569 ffff810008aba000 ffffffff81075eef 0000000000000018 000000000007e569 ffff81000849c900 ffff810008aba000 ffff810008bf6a80 ffffffff81076069 Call Trace: [<ffffffff81075eef>] wake_quiescent+0x57/0x12e [<ffffffff81076069>] utrace_detach+0xa3/0xba [<ffffffff81077d2a>] ptrace_detach+0x6e/0x10b [<ffffffff810782fc>] ptrace_common+0x98/0x184 [<ffffffff81078d68>] sys_ptrace+0xf0/0x1ed [<ffffffff8100bd2a>] tracesys+0x71/0xda [<ffffffff8100bd8e>] tracesys+0xd5/0xda Code: 0f 0b eb fe 4c 89 ef e8 58 fd ff ff 49 83 fe 10 75 3a 8b b5 RIP [<ffffffff8107570f>] check_dead_utrace+0xfb/0x166 RSP <ffff8100082e9e58> BUG: spinlock lockup on CPU#0, clone-get-signa/14811, ffff81000849c920 [Tainted: G D] Call Trace: [<ffffffff8112e6d0>] _raw_spin_lock+0xd7/0xfe [<ffffffff81269850>] _spin_lock+0x47/0x52 [<ffffffff81075c2a>] utrace_quiescent+0x148/0x21b [<ffffffff81076b07>] utrace_get_signal+0x4b1/0x514 [<ffffffff810428ee>] get_signal_to_deliver+0x5a/0x3fb [<ffffffff810429ba>] get_signal_to_deliver+0x126/0x3fb [<ffffffff8100b0e9>] do_notify_resume+0xa8/0x733 [<ffffffff81052542>] lock_release_holdtime+0x27/0x48 [<ffffffff8100bc9b>] sysret_signal+0x21/0x31 [<ffffffff8100bf47>] ptregscall_common+0x67/0xb0 BUG: spinlock lockup on CPU#1, clone-get-signa/14810, ffff81000849c920 [Tainted: G D] Call Trace: [<ffffffff8112e6d0>] _raw_spin_lock+0xd7/0xfe [<ffffffff81269850>] _spin_lock+0x47/0x52 [<ffffffff8107503b>] get_utrace_lock_attached+0x34/0x61 [<ffffffff81075fdb>] utrace_detach+0x15/0xba [<ffffffff81078be9>] ptrace_exit+0x69/0xf8 [<ffffffff8103b051>] do_exit+0x151/0x8d2 [<ffffffff8100d42d>] kernel_math_error+0x0/0x71 [<ffffffff8100d87a>] do_invalid_op+0x8a/0x94 [<ffffffff8107570f>] check_dead_utrace+0xfb/0x166 [<ffffffff81032747>] sched_balance_self+0x153/0x2a5 [<ffffffff810542cb>] mark_held_locks+0x49/0x67 [<ffffffff812692eb>] trace_hardirqs_on_thunk+0x35/0x37 [<ffffffff8126a1ad>] error_exit+0x0/0x96 [<ffffffff8107503b>] get_utrace_lock_attached+0x34/0x61 [<ffffffff8107570f>] check_dead_utrace+0xfb/0x166 [<ffffffff81075eef>] wake_quiescent+0x57/0x12e [<ffffffff81076069>] utrace_detach+0xa3/0xba [<ffffffff81077d2a>] ptrace_detach+0x6e/0x10b [<ffffffff810782fc>] ptrace_common+0x98/0x184 [<ffffffff81078d68>] sys_ptrace+0xf0/0x1ed [<ffffffff8100bd2a>] tracesys+0x71/0xda [<ffffffff8100bd8e>] tracesys+0xd5/0xda
Confirmed as still broken on: kernel-2.6.23-0.217.rc9.git1.fc8.x86_64 (x86_64 4 CPU) clone-get-signa used greatest stack depth: 3512 bytes left clone-get-signa used greatest stack depth: 3240 bytes left clone-get-signa used greatest stack depth: 3016 bytes left clone-get-signa used greatest stack depth: 2984 bytes left clone-get-signa used greatest stack depth: 2936 bytes left ------------[ cut here ]------------ kernel BUG at kernel/utrace.c:328! invalid opcode: 0000 [1] SMP CPU 1 Modules linked in: autofs4 hidp rfcomm l2cap bluetooth sunrpc ipv6 cpufreq_ondemand acpi_cpufreq dm_multipath video output sbs battery ac lp loop tg3 snd_hda_intel snd_seq_dummy snd_seq_oss snd_seq_midi_event snd_seq snd_seq_device snd_pcm_oss snd_mixer_oss snd_pcm snd_timer parport_pc snd iTCO_wdt iTCO_vendor_support soundcore snd_page_alloc button serio_raw parport i5000_edac joydev edac_core shpchp floppy sr_mod cdrom sg dm_snapshot dm_zero dm_mirror dm_mod ata_generic ata_piix libata sd_mod scsi_mod ext3 jbd mbcache uhci_hcd ohci_hcd ehci_hcd Pid: 17037, comm: clone-get-signa Not tainted 2.6.23-0.217.rc9.git1.fc8 #1 RIP: 0010:[<ffffffff810757a3>] [<ffffffff810757a3>] check_dead_utrace+0xfb/0x166 RSP: 0018:ffff81006ddd3e58 EFLAGS: 00010246 RAX: 0000000000000000 RBX: 000000000007e569 RCX: 0000000000000000 RDX: 0000000000000008 RSI: ffff81006c91b000 RDI: ffff81006f024000 RBP: ffff81006f024000 R08: 0000000000000215 R09: 0000000000000000 R10: ffffffff810750cf R11: 0000000000000212 R12: 0000000000000000 R13: ffff81006c91b000 R14: 0000000000000000 R15: 0000000000000000 FS: 00002aaaab0166f0(0000) GS:ffff81007ffc0578(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 000000008005003b CR2: 00002aaaab0118e4 CR3: 000000006c456000 CR4: 00000000000006e0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400 Process clone-get-signa (pid: 17037, threadinfo ffff81006ddd2000, task ffff81006ddd0000) Stack: 000000000007e569 ffff81006f024000 0000000000000000 000000000007e569 ffff81006f024000 ffffffff81075f83 0000000000000292 000000000007e569 ffff81006c91b000 ffff81006f024000 ffff81006d6c6180 ffffffff810760fd Call Trace: [<ffffffff81075f83>] wake_quiescent+0x57/0x12e [<ffffffff810760fd>] utrace_detach+0xa3/0xba [<ffffffff81077dbe>] ptrace_detach+0x6e/0x10b [<ffffffff81078390>] ptrace_common+0x98/0x184 [<ffffffff81078dfc>] sys_ptrace+0xf0/0x1ed [<ffffffff8100bbfe>] system_call+0x7e/0x83 Code: 0f 0b eb fe 4c 89 ef e8 58 fd ff ff 49 83 fe 10 75 3a 8b b5 RIP [<ffffffff810757a3>] check_dead_utrace+0xfb/0x166 RSP <ffff81006ddd3e58>
Based on the date this bug was created, it appears to have been reported during the development of Fedora 8. In order to refocus our efforts as a project we are changing the version of this bug to '8'. If this bug still exists in rawhide, please change the version back to rawhide. (If you're unable to change the bug's version, add a comment to the bug and someone will change it for you.) Thanks for your help and we apologize for the interruption. The process we're following is outlined here: http://fedoraproject.org/wiki/BugZappers/F9CleanUp We will be following the process here: http://fedoraproject.org/wiki/BugZappers/HouseKeeping to ensure this doesn't happen again.
Verified as fixed on kernel-2.6.25.4-10.fc8.x86_64.